At the end of October, the Cyberspace Administration of China (CAC) released draft rules that provide long awaited details about a government security assessment process to be completed before transferring a wide variety of data out of China. The draft "Outbound Data Transfer Security Assessment Measures" (the 2021 draft Measures) are open for public comment until November 28. Since further revisions are likely before the final version, this analysis focuses on policy implications and legislative trends. Show
What led up to these draft cross-border data rules?Security assessments for outbound data transfer have been coming, and evolving, for years. The 2021 draft Measures are the latest update to a key piece of China's data governance and cybersecurity regime, a matrix of laws, regulations, and standards developing in public view for half a decade. They come at a time when several long-awaited elements are falling into place, including the Data Security Law (DSL, effective Sept. 1, 2021) and the Personal Information Protection Law (PIPL, effective Nov. 1, 2021). These laws add to the longstanding architecture of the Cybersecurity Law (CSL, effective June 1, 2017), which first mandated security assessments for transferring data out of China. When the final text of the CSL was published in 2016, one of its most discussed provisions was Article 37, which among other things calls for a security assessment for outbound data transfers by “critical information infrastructure” (CII) operators that gather or produce “personal information” or “important data” during operations within the mainland. Details about those assessments—or about the definitions of CII, personal information, or important data—were not included. This is normal practice in China, where laws provide broad strokes and the government publishes practical details separately. Thus in April 2017, before the CSL took effect, the CAC released its first draft Measures on Security Assessment for Outbound Data Transfer of Personal Information and Important Data 《个人信息和重要数据出境安全评估办法(征求意见稿)》. This first draft, however, created more confusion than clarity. CSL Article 37 requires data localization only for CII operators, but the 2017 draft Measures expanded that scope to all "network operators"—a separate concept under the CSL. It is unclear whether that shift was intentional, but regardless, this version was never finalized and put into effect. Two years later, in June 2019, the CAC made another attempt, releasing draft Personal Information Outbound Transfer Security Assessment Measures 《个人信息出境安全评估办法(征求意见稿)》. This second draft only addressed personal information, omitting the other category addressed under the CSL, important data. This 2019 version, too, was never finalized and implemented. Yet another two years later, the present draft Measures were released at a time when many pending details have been finalized in the data regulatory regime, embodied in the now-effective texts of the DSL and the PIPL. Both of these laws build on the CSL with clauses containing requirements for data handlers to conduct security reviews before certain types of cross-border data transfers. They contain different (but overlapping) rules applying to CII operators’ data, important data, and personal data. The 2021 draft Measures, citing all three of these laws, appear designed to integrate their requirements and provide details regarding the process, scope, triggers, and criteria involved in security assessments for outbound data transfer. Are these cross-border data rules part of a crackdown on Chinese tech?Not entirely, though they would give authorities more opportunities for enforcement. The 2021 draft Measures and the two recently implemented laws came at a time when government authorities were pursuing a spate of actions against Chinese internet platforms. The new draft and the two finalized laws each have a much longer history and a broader significance beyond targeted actions on market competition, online finance, and foreign listings. The Measures do, however, give authorities new powers and responsibilities that could be used in different ways. Their relationship to broader trends in government-business relations might best be judged by how they are enforced. Who would the new draft Measures apply to?Most ‘data handlers,’ a broader category than earlier drafts. According to Article 4 of the 2021 draft Measures, data handlers would need to submit to security assessment for cross-border data transfer if they: (1) wish to transfer personal information or important data collected or produced by CII operators; (2) wish to transfer important data; (3) wish to transfer personal data and if, overall, they handle the personal information of over 1 million people; (4) if they cumulatively wish to provide abroad more than 100,000 people’s personal information, or more than 10,000 people’s sensitive personal information; or (5) are covered by other circumstances to be specified by the regulator. The use of the term “data handlers” in the new draft allows a unified approach addressing the three primary laws at issue. The PIPL and DSL regulate data handlers, while the reference to CII operators transferring personal information or important data integrates with the CSL. “Data handlers” were also introduced in a proposed amendment to the Cybersecurity Review Measures in July after the Chinese government took broad action against ride-hailing company Didi Chuxing after its IPO, similarly enlarging the scope from CII operators to include the broader category regulated in the two new laws. What kinds of data would require security review before cross-border transfer?It’s still hard to say for sure. Several key terms still lack thorough definitions, though there are recent indications about how clarity might finally come about. Here are three of the most crucial outstanding definitions:
Depending on how these definitions are specified or effectively enforced, the scope of regulated data could be different, but there is no indication the scope will be narrow. Indeed, the lack of clarity—in some cases now five years after drafting—could itself have a chilling effect as those making decisions about data systems weigh risks going forward. Read together, the 2021 draft Measures, the CSL, the DSL, and the PIPL produce a daunting compliance burden for covered organizations that seek to transfer data abroad. Taking personal data transfer for example, they would need to provide detailed disclosure to data subjects, obtain separate consent, sign contracts with the foreign data recipients, conduct a privacy impact assessment and a transfer self-assessment on several required items, obtain regulatory approval based on additional factors, and last but not least, go through this outbound data transfer security review process again at least every two years. Not one of these steps is necessarily simple in practice. Between what’s known and what’s uncertain, would these new measures effectively shut down data transfers out of China for multinationals?It depends. Many assume that broad data localization mandates are already in place in China, but the reality (for now) is much more messy: many multinational companies continue to transfer some kinds of data outside of China that are necessary for global operations. The question is how long this can last and to what extent this may change. The 2021 draft Measures themselves do not contain the answers but do give more details on the likely process and criteria involved in making these determinations. Recent standards (referenced above) spelling out categories of "important data" remain too broad to be more helpful. The Data Security Law and an accompanying standard also introduce the category of “core national data.” What this means for companies in practice is likely going to be for different industry regulators and specific companies to navigate. There will also be compliance complications around the categories of data identified by the state and how that data is used in company systems. With these complexities and uncertainties brought by regulations with sweeping effect and burdensome obligations, companies doing business in China may increasingly face tough choices balancing data localization, compliance costs, business fragmentation, market attractiveness, regulatory risk, and reputational risk. Foreseeably, more businesses will select to store the data of their Chinese business locally. Multinational companies may seek to further separate and isolate their Chinese operations and infrastructure from those of other countries, on both the technical and the operational level. Things may not necessarily follow this most restrictive path, however, if China’s regulators narrow the scope of impact and provide more regulatory clarity through implementing rules in the near future. Are there possible pathways for more open data transfers than the broadest readings of recent developments suggest?Where there’s a will, there’s a way. Taking personal information for example once again, the PIPL provides several legitimate grounds for outbound transfer of personal information. One is through undergoing the assessment process outlined in the 2021 draft Measures. The others include (1) “undergoing personal information protection certification” under rules that have not yet been set, (2) “concluding a contract with the foreign receiving side in accordance with a standard contract” to be formulated by CAC, and (3) if China enters into a treaty or international agreement “contain[ing] relevant provisions such as conditions on providing personal data outside the borders.” The law also reserves for the government the ability to specify other conditions that would allow transfers through further laws or administrative regulations. These other potential avenues do not immediately make things easier for those wishing to transfer Chinese personal information abroad, but the third option especially indicates an intention on the part of the Chinese government to explore agreements with other governments that could allow negotiated blanket approvals for data transfer, likely with specific boundaries and conditions. Indeed, the PIPL took effect within days of China’s announcement that it would seek accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) trade pact, which includes significant provisions on cross-border data flows, as well as the Digital Economy Partnership Agreement (DEPA) between Chile, New Zealand, and Singapore. Finally, the draft Measures are just that—not final, and not in effect. The government will officially accept comments through November 28, and historically Chinese authorities have continued consultations with interested parties even longer before finalizing laws and regulations. In all, these factors by no means guarantee the enormous barriers to cross-border business perceived by many in the business community and in foreign capitals will go away, but they do mean that the Chinese government has left itself a less restrictive option. The question is which path it chooses. |